Some design errors in the mobile applications of certain car brands make it possible to take control of the vehicle. Yuga Lab engineers seek out these bugs and submit them to the automaker and their contractors.
Sam Curry is cybersecurity researcher. With his colleagues from Yuga Lab, he has made a specialty of discovering the flaws in connected cars. He discovered that a bug in Hyundai’s mobile app would allow hackers to impersonate you and steal your car. To do this, it just needs your email address. He explains: “by adding a control character, carriage return or line feed, at the end of the email address of an existing account, we were able to create an account that bypassed the verification systems “.
We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.
To explain how it worked and how we found it, we have @_specters_ as our mock car thief: pic.twitter.com/WWyY6vFoAF
— Sam Curry (@samwcyo) November 29, 2022
Earlier this year, Mr. Curry and his colleagues also discovered a security flaw that could affect cars of different brands. They then realize that the commonality between most vehicles is the telematics service provider SiriusXM Connected Vehicles. This company can unlock or lock your car remotely. To do this, it needs either your email address or the vehicle’s VIN code. This company’s technology is highly valued. The list of its customers is long and includes, among others, Fiat, Land Rover, Lexus, Hyundai, Honda or even BMW and Jaguar.
Hackers can get your private data through a simple VIN code
To unlock a car and take control of it, the hackers just needed the vehicle’s VIN code. After submitting this number to the SiriusXM servers, they obtained all the rights to unlock the vehicle, and take control of it. “You could run commands on the car and collect customer account information just with a VIN code, which you find on the windshield,” says Curry.
Sirius XM’s verification system showed the coordinates and identifiers of their clients in the headers of requests to the server. According to Me Curry, once informed of these flaws, companies are quick to deploy a patch. Cybercriminals didn’t have time to exploit them.
Our cars are always more connected, and that’s very practical. That said, their growing reliance on computers and wireless technologies increasingly exposes us to the risk of fraud and theft. We remember this series of security flaws linked to Bluetooth which allowed us to steal a Tesla Model X in 90 seconds.
To read – Tesla: A flaw in the key card allows the car to be stolen in 2 minutes
